A CVE has been assigned for a bug fixed upstream in libgd: http://openwall.com/lists/oss-security/2016/06/30/10 That was the first issue fixed upstream in issue #247. A second bug reported in issue #247 has been fixed in the following commit: https://github.com/libgd/libgd/commit/341aa68 and a CVE has been requested for it too: http://openwall.com/lists/oss-security/2016/07/13/5 Finally, a CVE has been requested for upstream issue #248: http://openwall.com/lists/oss-security/2016/07/12/4 There's a pull request with a fix, but it hasn't been approved/committed yet. I have committed the CVE-2016-6132 fix in SVN (pushed in Cauldron), but am waiting for CVEs and a fix to be committed for the last issue. The update for Mageia 5 will also fix a bug in the last update that caused some builds against libgd to fail.
(In reply to David Walser from comment #0) > A second bug reported in issue #247 has been fixed in the following commit: > https://github.com/libgd/libgd/commit/341aa68 > > and a CVE has been requested for it too: > http://openwall.com/lists/oss-security/2016/07/13/5 CVE-2016-6214: http://openwall.com/lists/oss-security/2016/07/13/12
Summary: libgd new security issue CVE-2016-6132 => libgd new security issues CVE-2016-6132 and CVE-2016-6214
Assigning to maintainer, but CC'ing all packagers collectively, since I haven't seen the maintainer coming back.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => oe
Sorry, Philippem, I forgot to CC you
CC: (none) => makowski.mageia
Blocks: (none) => 18947
(In reply to David Walser from comment #0) > Finally, a CVE has been requested for upstream issue #248: > http://openwall.com/lists/oss-security/2016/07/12/4 Fix: https://github.com/libgd/libgd/commit/5ddd5a7eab0c107d3a5b5e9cc142bd163e8bac38 Hoping to get a CVE assignment soon.
Debian has issued an advisory for this on July 15: https://www.debian.org/security/2016/dsa-3619
URL: (none) => http://lwn.net/Vulnerabilities/694782/
Tired of waiting for the CVE. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerabilities: A read out-of-bounds was found in the parsing of TGA files when the header reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or RLE value (upstream issue 248). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 http://openwall.com/lists/oss-security/2016/06/30/10 http://openwall.com/lists/oss-security/2016/07/13/12 http://openwall.com/lists/oss-security/2016/07/12/4 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.2-1.2.mga5 libgd-devel-2.2.2-1.2.mga5 libgd-static-devel-2.2.2-1.2.mga5 gd-utils-2.2.2-1.2.mga5 from libgd-2.2.2-1.2.mga5.src.rpm
CC: makowski.mageia, marja11, pkg-bugs => (none)Assignee: oe => qa-bugs
Tried to find a way to use the PoC targa file to reproduce the issue before updating but cannot figure out how; what utility to use. Using ImageMagick returns something but that is not using gdlib functions is it? $ display test.tga display: unexpected end-of-file `test.tga': No such file or directory @ error/tga.c/ReadTGAImage/552. The upstream notice reports against gd_tga.c. $ urpmq --whatrequires lib64gd3 | sort | uniq amule apcupsd fceux fswebcam gd-utils glibc-utils gnuplot gnuplot-nox graphviz lib64gd3 lib64gd-devel lib64harbour-gd3 libgphoto-common libpst links-hacked m17n-lib mldonkey mscgen nagios-www navit nginx nut-cgi pcb perl-GD php-gd python-gd ruby-gd tcl-graphviz tengine texlive vnstat $ urpmq -i gd-utils http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/5/x86_64/media/core/updates/media_info/20160719-124617-info.xml.lzma Name : gd-utils Version : 2.1.1 Release : 1.mga5 Group : System/Libraries Size : 108534 Architecture: x86_64 Source RPM : libgd-2.1.1-1.mga5.src.rpm URL : http://www.libgd.org/ Summary : The Utils files for gd There does not seem to be a way to find what the Utils files are. /usr/bin contains: /usr/bin/gd2copypal /usr/bin/gd2togif /usr/bin/gd2topng /usr/bin/gdlib-config -> deprecated The implication of some of the inline comments is that one needs to be a programmer and to use gd_tga.c to read the specimen targa file. I'll need to study the API.
CC: (none) => tarazed25
What happened there?
I just saw CVE-2016-6207, fixed in PHP 5.6.24 and to be fixed in libgd 2.2.3, was committed on July 19: https://bugs.php.net/bug.php?id=72558 I guess we should wait for 2.2.3.
Whiteboard: (none) => feedback
OK David. So far.... Worked through the list of dependent applications in comment 8 to find something that works easily. Picking gnuplot demos at random from /usr/share/doc/gnuplot-nox/demo/ demonstrated that gnuplot worked effectively before the updates. navit looks like an in-car navigation system. Opened a vnstat database for the eth0 connection (enp3s0) and restarted the service. Seems to be OK but not enough data yet to view. Updated the packages on x86_64. Tested gnuplot, restarted the vnstat service, checked navit, amule opens a gui dialogue OK, so does pcb. Shallow testing looks OK.
If you want to exercise the GD API directly (like to open the PoC files), the easiest eay I know if is to use PHP. I've written a little bit of php-gd code myself. It should be pretty well documented.
Blocks: (none) => 19009
Thanks for the tip David. Time to bite the bullet and delve into php.
Updated package uploaded for Mageia 5, freeze push pending for Cauldron. Advisory: ======================== Updated libgd packages fix security vulnerabilities: A read out-of-bounds was found in the parsing of TGA files when the header reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or RLE value (upstream issue 248). Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 http://openwall.com/lists/oss-security/2016/06/30/10 http://openwall.com/lists/oss-security/2016/07/13/12 http://openwall.com/lists/oss-security/2016/07/12/4 https://bugs.php.net/bug.php?id=72558 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.3-1.mga5 libgd-devel-2.2.3-1.mga5 libgd-static-devel-2.2.3-1.mga5 gd-utils-2.2.3-1.mga5 from libgd-2.2.3-1.mga5.src.rpm
Summary: libgd new security issues CVE-2016-6132 and CVE-2016-6214 => libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214Whiteboard: feedback => (none)
LWN reference for CVE-2016-6207: http://lwn.net/Vulnerabilities/695169/
An issue in the test suite has been fixed by David Geiger. Advisory: ======================== Updated libgd packages fix security vulnerabilities: A read out-of-bounds was found in the parsing of TGA files when the header reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or RLE value (upstream issue 248). Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207). A regression in the previous update that caused some packages to fail to build against libgd has also been fixed (mga#18947). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 http://openwall.com/lists/oss-security/2016/06/30/10 http://openwall.com/lists/oss-security/2016/07/13/12 http://openwall.com/lists/oss-security/2016/07/12/4 https://bugs.php.net/bug.php?id=72558 https://bugs.mageia.org/show_bug.cgi?id=18938 https://bugs.mageia.org/show_bug.cgi?id=18947 ======================== Updated packages in core/updates_testing: ======================== libgd3-2.2.3-1.1.mga5 libgd-devel-2.2.3-1.1.mga5 libgd-static-devel-2.2.3-1.1.mga5 gd-utils-2.2.3-1.1.mga5 from libgd-2.2.3-1.1.mga5.src.rpm
x86_64 Updated packages installed cleanly. Two-way gd2 image conversion utilities present in /bin. No gd2 images available. $ pngtogd2 -i zoom.png -o zoom.gd2 2048 1 $ ls zoom.gd2 zoom.gd2 $ display zoom.gd2 display: no decode delegate for this image format `GD2' @ error/constitute.c/ReadImage/504. $ file zoom.gd2 zoom.gd2: data $ display zoom.gif This shows the icon OK. Currently there is no easy way to read the PoC targa file (CVEs 6132, 6214) at the command line. Dependent applications run fine at the shallow testing level. ------------------------------------------------------------------------------- Checked a few applications. nginx started OK. The pcb circuit board interface comes up and looks functional. Opened the gui for amule a point2point network client. fceux opened a gui - something to do with emulating the Nintendo Entertainment System - cannot go any further. $ vnstat Database updated: Sat Jul 23 15:46:55 2016 enp3s0 since 21/07/16 rx: 1.55 GiB tx: 82.91 MiB total: 1.63 GiB monthly rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- Jul '16 1.55 GiB | 82.91 MiB | 1.63 GiB | 6.99 kbit/s ------------------------+-------------+-------------+--------------- estimated 2.12 GiB | 112 MiB | 2.23 GiB | daily rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- yesterday 74.90 MiB | 47.05 MiB | 121.95 MiB | 11.56 kbit/s today 1.47 GiB | 34.80 MiB | 1.50 GiB | 221.32 kbit/s ------------------------+-------------+-------------+--------------- estimated 2.23 GiB | 51 MiB | 2.28 GiB | $ cd /usr/share/doc/gnuplot-nox/demo $ gnuplot <*>.dem A successful tour of the demonstration scripts indicates that gnuplot is working fine. vector.dem created an output file so needed sudo to run. Best to run these from a user directory but some need data files from the demo directory.
Tested fine with my usual apache/php/libgd test case, Mageia 5 i586. Note that libgd runs its test suite at build time, so don't worry too much about the PoCs.
Whiteboard: (none) => MGA5-32-OK
[OT] Still trying to figure out how to run Hello World php script so not able to adopt your approach. On topic: with both our tests this looks fine for the two architectures then. Validating.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: MGA5-32-OK MGA-64-OK => MGA5-32-OK MGA-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0258.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Upstream issue 248 = CVE-2016-6905: http://www.openwall.com/lists/oss-security/2016/08/23/1
Summary: libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214 => libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214, CVE-2016-6905
Advisory: ======================== Updated libgd packages fix security vulnerabilities: A read out-of-bounds was found in the parsing of TGA files when the header reports an incorrect size (CVE-2016-6132) or invalid bpp (CVE-2016-6214) or RLE value (CVE-2016-6905). Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207). A regression in the previous update that caused some packages to fail to build against libgd has also been fixed (mga#18947). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6905 http://openwall.com/lists/oss-security/2016/06/30/10 http://openwall.com/lists/oss-security/2016/07/13/12 http://openwall.com/lists/oss-security/2016/07/12/4 http://openwall.com/lists/oss-security/2016/08/23/1 https://bugs.php.net/bug.php?id=72558 https://bugs.mageia.org/show_bug.cgi?id=18938 https://bugs.mageia.org/show_bug.cgi?id=18947
Summary: libgd new security issues CVE-2016-6132, CVE-2016-6207, and CVE-2016-6214, CVE-2016-6905 => libgd new security issues CVE-2016-6132, CVE-2016-6207, CVE-2016-6214, and CVE-2016-6905
(In reply to David Walser from comment #22) > Upstream issue 248 = CVE-2016-6905: > http://www.openwall.com/lists/oss-security/2016/08/23/1 LWN reference: http://lwn.net/Vulnerabilities/698984/